If it isn't clear in the question ask the proctor. Every answer is it depends on the question.
2 very unlikely you would ever want to use pass if the protocol is supported with inspect. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Managing Partner / Sr. Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com <http://www.ipexpert.com/> From: Pemasiri Devanarayana [mailto:[email protected]] Sent: Tuesday, February 08, 2011 6:27 PM To: [email protected]; Tyson Scott; Kingsley Charles Subject: Zone Base Firewall and NAT on ASA Hi All, I have the following questions and appreciate your correct solutions how we face those in the real lab exam.. 1) if a question asked you to configure nat for allow ftp/http or dns doctoring etc.. do we need to configure to allow those traffic (http/ftp/dns etc.) on the firewall outside interface in addition to the question stated NAT configurations..? 2. in ZBF if the question said traffic (any ip traffic) from zone x to zone y should be allowed...how do we know whether its the class-map with pass or class map with inspect..?? We know that pass will not have return traffic allow and not state table, but how do we understand whether it should be configured for pass or inspect..? 3) again in ZBF...if the question does not ask anything about from Inside to outside, should we still inspect the traffic from inside to outside..? thanks Pemasiri
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
